The Complete Guide to PCI DSS: Why You Need To Understand PCI Compliance Standards & What Role Payment Processors Play
If you’re a new business owner, you may not know very much about PCI compliance – or even what it is. It’s possible that your first introduction to the subject might be an unexpected fee for PCI compliance showing up on your monthly processing statement. Like it or not, you can expect that PCI compliance is going to be an essential part of running your business. While it may seem like yet another inconvenient regulatory requirement for operating a business, PCI compliance is actually critically important. Meeting your compliance requirements protects your customers’ valuable credit card data from being compromised and stolen by hackers. It also protects you from the possibly severe consequences such a data breach might cause. While there’s no 100% perfect defense against getting hacked, following the established PCI compliance steps gives you the best chance of avoiding a data breach and protecting your business.
The term “PCI compliance” refers to compliance with the Payment Card Industry Data Security Standard (PCI DSS), a common standard of approved security practices established by the PCI Security Standards Council (PCI SSC). This organization was founded by several of the major credit card associations in 2004 to promulgate and enforce a common set of cybersecurity standards to fight credit card fraud and prevent data breaches.
The specific requirements for PCI compliance have changed many times since they were first established fifteen years ago. As of the time of this writing, PCI DSS 3.2.1 is the current standard. However, a new standard, PCI DSS 4.0, is currently in development and is expected to be released sometime in the near future.
You might expect that with a subject as important as cybersecurity and protecting consumers’ credit card data, PCI compliance requirements would be the same regardless of the size or nature of your business. While there are many common requirements that apply to all businesses, the PCI SSC has created a four-level system of classifying businesses, with each level having its own requirements. We’ll go into more detail on PCI merchant levels below, but for now just be thankful that most small businesses will be in Level 4, which has the easiest requirements to meet. As a small business owner, your risk of experiencing a data breach is usually lower than what a large business would face. So, your compliance requirements are easier (and less expensive) to meet.
In this article, we’ll explain the basic concepts behind PCI compliance and show you how to determine the requirements that apply to your business. We’ll also discuss PCI merchant levels. Additionally, we’ll provide an overview of the six main goals of PCI compliance, as well as the twelve steps you’ll need to follow to meet them. Finally, we’ll discuss how your credit card processor fits into the whole PCI compliance scheme, including any fees they might charge you for helping to keep your account compliant. For even more information about PCI compliance, see our article, What Is PCI Compliance And How Does It Affect Your Business?.
Table of Contents
- What Is Your Business’ Risk Level For PCI Compliance?
- Understanding PCI Compliance Goals & Requirements
- Goal One: Build And Maintain A Secure Network And Systems
- Goal Two: Protect Cardholder Data
- Goal Three: Maintain A Vulnerability Management Program
- Goal Four: Implement Strong Access Control Measures
- Goal Five: Regularly Monitor and Test Networks
- Goal Six: Maintain An Information Security Policy
- Self-Assessment Questionnaire (SAQ)
- How Payment Processors Affect Merchants’ PCI Compliance Requirements
- PCI Compliance Is An Ongoing Process, Not A Single Task
- Final Thoughts
What Is Your Business’ Risk Level For PCI Compliance?
The first step in meeting your PCI compliance requirements is to figure out exactly which requirements apply to your business. Fortunately, the PCI SSC has made this a little easier and less confusing by creating a system for classifying businesses and establishing requirements for each level. There are four merchant risk levels, with level four including most small businesses and level one covering only the largest companies.
Which level your business falls in is mostly determined by the overall number of debit and credit card transactions you process on an annual basis. However, it takes a lower number of ecommerce transactions to move up to a higher PCI compliance level due to the additional security risks associated with this payment channel.
It’s also very important to understand that experiencing an actual data breach –whether it was due to an error or omission on your part or not – will usually result in your business being placed in risk level one, regardless of your annual number of card transactions. Complying with the additional requirements of PCI level one can be quite expensive and time-consuming for a small business, so it’s very important that you avoid this situation by meeting the appropriate requirements for your level and keeping your business compliant. Doing so will minimize your chances of getting hacked and suffering a data breach.
For more detailed information about the PCI merchant risk level system, please see our article, The Complete Guide To PCI Compliance Levels. If your business falls in level four (which will apply to most small businesses), you can also refer to our article, The Quick Guide to PCI Compliance for Small Businesses, for more information about specific compliance requirements.
Understanding PCI Compliance Goals & Requirements
PCI DSS version 3.2.1 establishes six overall goals for a successful PCI compliance program, with twelve specific requirements that are designed to meet those goals. While you may or may not want to think of this as a “12-step program,” it’s very important that you fully understand and comply with all twelve requirements. Doing so will ensure that your business is adequately protected from the possibility of a data breach. Also, your customers will – despite not being able to see most of the behind-the-scenes efforts you’re taking on their behalf – have the confidence that their data is properly protected and that it’s safe for them to make a purchase on your site. Finally, you’ll stay in the good graces of your processor and the credit card associations.
Below, we’ll outline the twelve primary requirements for PCI compliance and give you some pointers on how you can meet them. For more detailed information on this subject, refer to the PCI DSS Quick Reference Guide (version 3.2).
Goal One: Build And Maintain A Secure Network And Systems
Just as physical security measures are critically important to a retail business, network security is essential to an ecommerce endeavor. While most of the required measures in this area come down to simple common sense, there are a lot of details to be familiar with, so you’ll want to consult the Quick Reference Guide to ensure that you don’t miss anything.
- Install and maintain a firewall configuration to protect cardholder data. Just as you would always use a firewall to protect your personal computer, it’s essential to install and properly configure a firewall to protect your customers’ payment information.
- Do not use vendor-supplied defaults for system passwords and other security parameters. This step may seem almost too obvious to discuss, but the fact is that many high-profile data breaches have occurred in recent years because someone neglected to change their default passwords. Usernames like “admin” and passwords like “password” just won’t cut it. Change these immediately if you haven’t already done so!
Goal Two: Protect Cardholder Data
According to the Quick Reference Guide, cardholder data includes “any information printed, processed, transmitted or stored in any form on a payment card.” While this mainly refers to electronically-stored information, you will have additional physical security requirements if, for any reason, you’ve printed out any of your customers’ card data.
- Protect stored cardholder data. The first rule of protecting your customers’ card data is to avoid storing it in the first place. Merchant account providers give you several options for doing this, including the use of hosted payment pages that are separate from your business’ website and payment gateway security features such as encryption and tokenization. If you need to store cardholder data, page 15 of the Quick Reference Guide contains detailed instructions as to how to do this, and which elements of cardholder data can be safely stored.
- Encrypt transmission of cardholder data across open, public networks. Take full advantage of any and all encryption features offered by your provider. Even if cardholder data isn’t stored on your website’s server, it can still be vulnerable when transmitted across open, public networks. This is particularly important if your business has a mobile app that customers can use to place orders and pay for purchases.
Goal Three: Maintain A Vulnerability Management Program
The Quick Reference Guide defines vulnerability management as “the process of systematically and continuously finding weaknesses in an entity’s payment card infrastructure system.” Security procedures, system design, implementation, and internal controls can all be exploited if you’re less than 100% vigilant in your cybersecurity procedures.
- Protect all systems against malware and regularly update antivirus software or programs. Obviously, you’ll need to install and maintain a good antivirus (and possibly antimalware) program. You’ll also need to run regular security scans with these programs and maintain logs documenting your scans.
- Develop and maintain secure systems and applications. This requirement essentially boils down to keeping your security software updated. Install critical security patches as soon as possible – within one month of release, at a minimum. Some security software vendors issue patches on an almost daily basis, so you should look into automating this process.
Goal Four: Implement Strong Access Control Measures
Access control measures regulate how and when your employees can access cardholder data. Control measures include both physical access controls (i.e., locks, safes, and other similar devices) and logical access controls (i.e., access limitations on computers, wireless networks, digital files containing cardholder data, etc.).
- Restrict access to cardholder data by business need to know. “Business need to know” is the controlling principle here. Only allow your employees access to cardholder data to the extent that it is required for them to do their jobs. Educating employees on how to properly safeguard cardholder data is also an important part of meeting this requirement.
- Identify and authenticate access to system components. Every person granted access to cardholder data should be assigned a unique identification (ID) so that actions involving cardholder data can be traced and confirmed. Authentication methods to control access and verify ID can include passwords, token devices, smart cards, biometric identification devices (i.e., fingerprint readers), or a combination of the above. Multi-factor authentication should also be used, and is now a compulsory requirement for non-console administrative access from within your network. The Quick Reference Guide also lists several additional steps that must be taken to meet this requirement.
- Restrict physical access to cardholder data. This requirement encompasses all physical methods used to restrict access to cardholder data. The Quick Reference Guide provides an extensive list of methods for meeting this requirement.
Goal Five: Regularly Monitor and Test Networks
It usually isn’t immediately apparent that your network has been hacked or you’ve experienced a data breach. Thus, it’s critically important to monitor your systems and test for potential vulnerabilities regularly.
- Track and monitor all access to network resources and cardholder data. This requirement is best met by installing system monitoring software that automatically generates logs of all activity on your network. System logs are critically important in determining the cause of a compromise to your network. Under the current PCI DSS standard, service providers must implement a process for timely detection and reporting of failures of critical security control systems.
- Regularly test security systems and processes. Network vulnerability scans are the primary means of complying with this requirement. Although Level 4 merchants are only required to perform these scans once a year, the Quick Reference Guide recommends that all businesses perform them at least quarterly and after any significant change in network configuration. Your merchant account provider will perform these scans as part of their PCI compliance services.
Goal Six: Maintain An Information Security Policy
An information security policy is your primary means of informing your employees of the importance of safeguarding cardholder data and their role in keeping your network secure.
- Maintain a policy that addresses information security for all personnel. Information security policies must be updated at least annually, and whenever there is a significant change to your network environment. A risk assessment process should also be conducted at least annually and before making changes to your information security policy.
Self-Assessment Questionnaire (SAQ)
If you’re not particularly tech-savvy and the above discussion has your head spinning, don’t worry. Your merchant account provider will take care of most of the PCI DSS requirements spelled out above. eCommerce merchants may need to hire a developer or a network security specialist to help with compliance, but for the most part you should be able to rely on your provider to help keep you compliant and also to notify you if you’ve experienced a breach or need to update your security methods due to a new threat.
One step that you will have to accomplish on your own (or with the assistance of your provider) is to complete and submit the PCI DSS Self-Assessment Questionnaire (SAQ) on an annual basis. This requirement applies to all Level 2, 3, and 4 merchants. Level 1 merchants must complete a much more thorough assessment (called a Report on Compliance (ROC)) that requires the use of independent security assessors. Today, most merchant account providers offer a mechanism for completing the SAQ online. However, they’re often not very good at notifying you when your current SAQ has expired and needs to be updated. You’ll want to track this information carefully to avoid getting hit with a PCI non-compliance fee if your SAQ expires. For more detailed information on how to complete the SAQ, please refer to the Self-Assessment Questionnaire Instructions and Guidelines.
How Payment Processors Affect Merchants’ PCI Compliance Requirements
If you’ve read this far, you might be feeling a little overwhelmed. The language used by the PCI SSC is more common in military and government circles than in the world of private enterprise. Fortunately, you don’t have to be an expert on cybersecurity to run a PCI-compliant business. A general understanding of PCI compliance theory and a willingness to implement and follow the common-sense measures defined in the Quick Reference Guide will usually be all you need to protect your customers’ cardholder data.
Fortunately, most of the heavy lifting when it comes to PCI compliance has already been done for you by your merchant account provider. However, you don’t want to blindly trust that your provider has done an adequate job with something so important. As part of setting up a solid PCI compliance plan for your business, you should be:
- Ensuring That Your Processing Hardware Is PCI Compliant. All of the commonly used credit card terminals and point-of-sale (POS) systems in use today are fully PCI-compliant right out of the box. However, if you have older processing hardware or have obtained your equipment from a third party, you’ll want to check to be sure that whatever you’re using is indeed compliant with current PCI DSS standards. The Approved PIN Transaction Security (PTS) Devices page on the PCI SSC website has a very useful search engine that allows you to check your device(s) for compliance.
- Checking For Additional Requirements That Are Unique To Your Business. PCI compliance isn’t just for traditional retail or ecommerce businesses. Professional services providers, nonprofits, and businesses that specialize in B2B transactions also need to maintain compliance. Some of these business types will have specific requirements that may differ from those that apply to a standard brick-and-mortar retail business.
- Understanding PCI Compliance Requirements Imposed By Your Provider. What specific actions does your merchant account provider require you to do to maintain compliance? The division of labor between you and your provider will be different with each vendor, so you need to know what tasks are your responsibility and which ones will be handled by your provider. Note that payment services providers (PSPs) such as Square (see our review) and PayPal generally take care of all PCI requirements for you.
PCI Compliance Fees
No discussion of PCI compliance would be complete without also mentioning PCI compliance fees. The services your provider offers to help keep your account compliant don’t cost a lot of money, but most providers will want to recoup them in one form or another. Some providers will charge you a discreet PCI compliance fee, usually on either a monthly or annual basis. Providers that charge annually will usually bill you around $99.00 per year for compliance services. Unfortunately, very few of them will voluntarily refund a pro-rata share of this fee if you close your account in less than a year from paying the fee.
Other providers will charge you a small monthly PCI compliance fee, typically around $8.00 per month. While this is better than getting hit with a large annual fee all at once, wouldn’t it be nice if you didn’t have to pay a PCI compliance fee at all? Of course, it would! However, as we’ve noted above, PCI compliance services such as quarterly vulnerability scans and security features such as tokenization and encryption cost money to provide, and most processors will want to be compensated for those services. Since PCI compliance fees are generally unpopular with merchants, you might find that your contract doesn’t include a PCI compliance fee at all. Don’t be fooled into thinking that you’re getting a freebie! In most cases, you’ll still pay for compliance – either in the form of slightly higher processing rates or a higher monthly account fee.
For a more in-depth discussion of PCI compliance (and non-compliance) fees, please see our article, PCI Compliance Fees: A Fair Processing Charge Or A Junk Fee?.
PCI Compliance Is An Ongoing Process, Not A Single Task
If you’re the type to skip headings when reading an article, go back and read the one above. Keeping your business PCI compliant (and ensuring the security of your customers’ cardholder data) is not a single task, or even a list of tasks that you can check off on a to-do list. It’s a process that will require your constant attention and monitoring.
While it may be obvious that proper PCI compliance procedures are essential to online businesses, be aware that as retail businesses increasingly adopt cloud-based payment processing systems, they’ll have the same stringent requirements. Here’s a brief overview of the most important “foot-stompers” when it comes to PCI compliance:
- Ensure that your network and equipment are protected by a firewall.
- Install a good antivirus program, and keep it updated. Consider adding an antimalware program as well.
- Use strong passwords and consider changing them regularly. A good password manager program such as 1Password or LastPass can be very useful for this requirement.
- Only share passwords and access to cardholder data with employees or contractors on a strict “need to know” basis.
- Use PCI-compliant hardware and software, and install updates when they’re released. Security updates are particularly important, and should be installed as soon as possible.
- Complete your Self-Assessment Questionnaire (SAQ) and keep it updated.
- Ensure that your merchant account provider is performing quarterly network vulnerability scans, and keep logs of the results for your records.
You need to be PCI compliant. This isn’t just a matter of complying with a bureaucratic regulatory requirement or avoiding a PCI non-compliance fee. A data breach that exposes your customers’ cardholder data can have a catastrophic effect on your business, and following proper PCI compliance procedures is your best method of ensuring that this never happens to you.
As we’ve mentioned above, PCI compliance is a continuous process, not a “one-and-done” requirement that you can check off and then ignore. Also, PCI compliance requirements are different for every business, so work with your provider to ensure that you’re following the steps required for your particular type of business.
Finally, some providers do a better job of helping you to maintain PCI compliance than others. Unfortunately, the industry is still rife with shady providers who treat PCI compliance as an opportunity to charge unsuspecting merchants an additional fee – without providing any services in exchange. Don’t let this happen to you! Regardless of whether you’re being charged a PCI compliance fee, you’ll want to ensure that your provider is actually offering the services necessary to keep your account in compliance. Check out our Merchant Account Comparison Chart for a side-by-side overview of our top-rated providers. They all offer solid cybersecurity services, and many of them don’t charge a PCI compliance fee.